Forum Discussion

vand3rlinden's avatar
vand3rlinden
Brass Contributor
Feb 10, 2022
Solved

Azure AD SSPR Password write back issue

Hi all,   A company I work for have issues with the reset password function with AD Connect.   In the SSPR audit logs in Azure AD, we face on 'Reset password (self-service)' the status reason 'On...
Authentication
Identity
On-Premises
  • vand3rlinden's avatar
    vand3rlinden
    Feb 18, 2022

    Hi Bilal, the SSPR reset is functioning again! I found out that the “Network access: Restrict clients allowed to make remote calls to SAM” GPO was setup in the local GPO of the DCs. The issue is resolved by adding the AD DS connector account into that GPO on both domain.

    For future readers:

    1: Open Local Security Policy, click Start, type secpol.msc
    2: Navigate the console tree to Security Settings\Security Options\Network access: Restrict clients allowed to make remote calls to SAM
    3: Right-Click and Select Properties
    4: On the Template Security Policy Setting, Click Edit Security
    5: Under Group or user names, Click Add the AD DS connector account
    7: Leave everything default, and Click OK

     

     

    Thank you again for your knowledge and time.

vand3rlinden's avatar
vand3rlinden
Brass Contributor
Feb 11, 2022

Hi BilalelHadd, thank you for the response!

- Did you enable inheritance for the AD account(s)
-- Yes, did check this also. The AD DS connector account has all the rights:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/troubleshoot-sspr-writeback#verify-that-azure-ad-connect-has-the-required-permissions
- Did you enable Password writeback in the Azure AD Connect configuration?
Yes
- Did you enable SSPR in the Azure AD Portal?
Yes
- Do you have a valid Azure AD Premium license?
Yes

It just stopped working since (2/7/22) Monday this week, and only for action 'Reset password (self-service)'.
'Change password (self-service)', works like it supposed to be. So users can change password via account settings in de M365 user portal. But cannot reset it on passwordreset.microsoftonline.com. Both used the OnPremisesAgent ->> AADConnect .

BilalelHadd's avatar
BilalelHadd
Iron Contributor
Feb 11, 2022
Hi vand3rlinden,

Thanks for the answer. Do you know that there is a difference between AD DS connect permissions and inheritance permissions? If so, then I assume that the user object rights are configured correctly. Do you have a screenshot of the current Domain Policy where the password policy is stated?
  • vand3rlinden's avatar
    vand3rlinden
    Brass Contributor
    Feb 11, 2022

    BilalelHadd 

     

    Thanks for trouble shooting with me!

     

    * Do you know that there is a difference between AD DS connect permissions and inheritance permissions? If so, then I assume that the user object rights are configured correctly.

     

    Yes, please check below screenshot

    inheritance-enabled.png



    Inheritance = enabled and MSOL_xxxx have all the right to reset password on object.

     

    * Do you have a screenshot of the current Domain Policy where the password policy is stated?

    • BilalelHadd's avatar
      BilalelHadd
      Iron Contributor
      Feb 14, 2022
      Hi vand3rlinden,

      No problem! We are here to help.
      In regards to your password policy, this is configured correctly. The event id 33004 is related to credentials. I am pretty sure that your issue is related to the service accounts permissions. If you are stating that the permissions are configured correctly, I would like to ask you to run the below commands on the Service Account(s):

      Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountName <svc_accountname> -ADConnectorAccountDomain <domainname>

      Set-ADSyncExchangeHybridPermissions -ADConnectorAccountName <svc_accountname> -ADConnectorAccountDomain <domainname>

      Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountName <svc_accountname> -ADConnectorAccountDomain <domainname>

      Set-ADSyncPasswordWritebackPermissions -ADConnectorAccountName <svc_accountname> -ADConnectorAccountDomain <domainname>

      More information about running these commands and the module can be found here:

      https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account

      Let me know what happens when a user tries to reset his password after running the commands.
      • vand3rlinden's avatar
        vand3rlinden
        Brass Contributor
        Feb 14, 2022

        Hi BilalelHadd,

        Thank you for this, unfortunately no luck. Had a call about this with MS support last Friday, we did set the AD DS connector have the default permissions and set password write back permissions with the trouble shoot tool within AD connect.

        I assume that to regarding the message we get from event viewer from event id 33004. I face the same error many times, and is was always the AD DS connector account. The strange thing is that as mentioned SSPR (change action) still is working and it goes over the same connector as SSPR (reset action). So with setting all the default permissions and seeing that the AD DS connector account can change or reset the passowrd of the the object, Both MS support and I cross it off that it concerns this account.

        MS support told me to change the Default domain policy GPO to Maximum password age: 30 or 42 days. But the policy is not managed with this GPO but with using fine-grained password policies (FGPP) in ADAC which set maximum password age to 90 days. And also here, we did not change anything, it just begun on Monday 7/2/22 without us to change anything.

        I ask the team if they can clarify this.

Resources